Loading target/board/generic/sepolicy/execns.te 0 → 100644 +20 −0 Original line number Diff line number Diff line # Network namespace transitions type execns, domain, domain_deprecated; type execns_exec, exec_type, file_type; init_daemon_domain(execns) allow execns varrun_file:dir search; allow execns self:capability sys_admin; #Allow execns itself to be run by init in its own domain domain_auto_trans(init, execns_exec, execns); # Allow hostapd to be run by execns in its own domain domain_auto_trans(execns, hostapd_exec, hostapd); allow hostapd execns:fd use; # Allow dnsmasq to be run by execns in its own domain domain_auto_trans(execns, dnsmasq_exec, dnsmasq); allow dnsmasq execns:fd use; target/board/generic/sepolicy/file.te +2 −0 Original line number Diff line number Diff line type sysfs_writable, fs_type, sysfs_type, mlstrustedobject; type varrun_file, file_type, data_file_type, mlstrustedobject; type mediadrm_vendor_data_file, file_type, data_file_type; target/board/generic/sepolicy/file_contexts +3 −0 Original line number Diff line number Diff line Loading @@ -18,6 +18,8 @@ /vendor/bin/init\.ranchu-core\.sh u:object_r:goldfish_setup_exec:s0 /vendor/bin/init\.ranchu-net\.sh u:object_r:goldfish_setup_exec:s0 /vendor/bin/qemu-props u:object_r:qemu_props_exec:s0 /system/bin/execns u:object_r:execns_exec:s0 /system/bin/ipv6proxy u:object_r:ipv6proxy_exec:s0 /vendor/bin/hw/android\.hardware\.drm@1\.0-service\.widevine u:object_r:hal_drm_widevine_exec:s0 Loading @@ -36,4 +38,5 @@ # data /data/vendor/mediadrm(/.*)? u:object_r:mediadrm_vendor_data_file:s0 /data/var/run(/.*)? u:object_r:varrun_file:s0 target/board/generic/sepolicy/goldfish_setup.te +12 −0 Original line number Diff line number Diff line Loading @@ -11,3 +11,15 @@ allow goldfish_setup vendor_toolbox_exec:file execute_no_trans; allowxperm goldfish_setup self:udp_socket ioctl priv_sock_ioctls; wakelock_use(goldfish_setup); allow goldfish_setup vendor_shell_exec:file { rx_file_perms }; # Set system properties to start services set_prop(goldfish_setup, ctl_default_prop); # Set up WiFi allow goldfish_setup self:netlink_route_socket nlmsg_write; allow goldfish_setup self:netlink_socket create_socket_perms; allow goldfish_setup self:capability { sys_module sys_admin }; allow goldfish_setup varrun_file:dir { mounton write add_name search remove_name }; allow goldfish_setup varrun_file:file { mounton getattr create read write open unlink }; allow goldfish_setup execns_exec:file rx_file_perms; allow goldfish_setup proc_net:file w_file_perms; target/board/generic/sepolicy/ipv6proxy.te 0 → 100644 +15 −0 Original line number Diff line number Diff line # IPv6 proxying type ipv6proxy, domain, domain_deprecated; type ipv6proxy_exec, exec_type, file_type; init_daemon_domain(ipv6proxy) net_domain(ipv6proxy) # Allow ipv6proxy to be run by execns in its own domain domain_auto_trans(execns, ipv6proxy_exec, ipv6proxy); allow ipv6proxy execns:fd use; allow ipv6proxy self:capability { sys_admin sys_module net_admin net_raw }; allow ipv6proxy self:packet_socket { bind create read }; allow ipv6proxy self:netlink_route_socket nlmsg_write; allow ipv6proxy varrun_file:dir search; Loading
target/board/generic/sepolicy/execns.te 0 → 100644 +20 −0 Original line number Diff line number Diff line # Network namespace transitions type execns, domain, domain_deprecated; type execns_exec, exec_type, file_type; init_daemon_domain(execns) allow execns varrun_file:dir search; allow execns self:capability sys_admin; #Allow execns itself to be run by init in its own domain domain_auto_trans(init, execns_exec, execns); # Allow hostapd to be run by execns in its own domain domain_auto_trans(execns, hostapd_exec, hostapd); allow hostapd execns:fd use; # Allow dnsmasq to be run by execns in its own domain domain_auto_trans(execns, dnsmasq_exec, dnsmasq); allow dnsmasq execns:fd use;
target/board/generic/sepolicy/file.te +2 −0 Original line number Diff line number Diff line type sysfs_writable, fs_type, sysfs_type, mlstrustedobject; type varrun_file, file_type, data_file_type, mlstrustedobject; type mediadrm_vendor_data_file, file_type, data_file_type;
target/board/generic/sepolicy/file_contexts +3 −0 Original line number Diff line number Diff line Loading @@ -18,6 +18,8 @@ /vendor/bin/init\.ranchu-core\.sh u:object_r:goldfish_setup_exec:s0 /vendor/bin/init\.ranchu-net\.sh u:object_r:goldfish_setup_exec:s0 /vendor/bin/qemu-props u:object_r:qemu_props_exec:s0 /system/bin/execns u:object_r:execns_exec:s0 /system/bin/ipv6proxy u:object_r:ipv6proxy_exec:s0 /vendor/bin/hw/android\.hardware\.drm@1\.0-service\.widevine u:object_r:hal_drm_widevine_exec:s0 Loading @@ -36,4 +38,5 @@ # data /data/vendor/mediadrm(/.*)? u:object_r:mediadrm_vendor_data_file:s0 /data/var/run(/.*)? u:object_r:varrun_file:s0
target/board/generic/sepolicy/goldfish_setup.te +12 −0 Original line number Diff line number Diff line Loading @@ -11,3 +11,15 @@ allow goldfish_setup vendor_toolbox_exec:file execute_no_trans; allowxperm goldfish_setup self:udp_socket ioctl priv_sock_ioctls; wakelock_use(goldfish_setup); allow goldfish_setup vendor_shell_exec:file { rx_file_perms }; # Set system properties to start services set_prop(goldfish_setup, ctl_default_prop); # Set up WiFi allow goldfish_setup self:netlink_route_socket nlmsg_write; allow goldfish_setup self:netlink_socket create_socket_perms; allow goldfish_setup self:capability { sys_module sys_admin }; allow goldfish_setup varrun_file:dir { mounton write add_name search remove_name }; allow goldfish_setup varrun_file:file { mounton getattr create read write open unlink }; allow goldfish_setup execns_exec:file rx_file_perms; allow goldfish_setup proc_net:file w_file_perms;
target/board/generic/sepolicy/ipv6proxy.te 0 → 100644 +15 −0 Original line number Diff line number Diff line # IPv6 proxying type ipv6proxy, domain, domain_deprecated; type ipv6proxy_exec, exec_type, file_type; init_daemon_domain(ipv6proxy) net_domain(ipv6proxy) # Allow ipv6proxy to be run by execns in its own domain domain_auto_trans(execns, ipv6proxy_exec, ipv6proxy); allow ipv6proxy execns:fd use; allow ipv6proxy self:capability { sys_admin sys_module net_admin net_raw }; allow ipv6proxy self:packet_socket { bind create read }; allow ipv6proxy self:netlink_route_socket nlmsg_write; allow ipv6proxy varrun_file:dir search;
